php - How secure is simple admin validation with if statement? -
i wondering how secure simple php script if statement admin password. say, have webpage want login edit content. if created html login script, retrieved credentials through post, , validated password , username through 'if' statement, such as
if ($_post['pass'] = 'somepasswordwithalotof123456789' , $_post['user']) { .. stuff ... }
i'm sure approach have major security issues, i'm curious go wrong i'm researching bit on writing secure php applications. reason why interested in approach, avoids database contact. also, aware of possibility of brute force attacks approach.
thanks in advance.
that secure how keep web server's ftp/filesystem access away users, no 1 able see script's source code.
therefore, might want hash password before comparing.
echo password_hash('somepasswordwithalotof1234567', password_bcrypt);
this output: $2y$10$abapxe/k/mdqwzkrf7jhc.7z6gks0yfzdrgoxgxes24oh1/224b.c
now, use string instead comparison key. have add flavor:
if (password_hash($_post['pass'], password_bcrypt) == '$2y$10$abapxe/k/mdqwzkrf7jhc.7z6gks0yfzdrgoxgxes24oh1/224b.c') { .. stuff ... }
just add username validation , you're ready go.
now if worry brute-force attack, can add max 5 login attempts timeout implementation in script.
making use of captcha in login form can prevent automated brute-force/dictionary attacks.
if working on system delivered client, may want encode source code won't easy them read script. @ least, tedious job them decode script.
you can use sourceguardian this.
on other hand, there free obfuscators/encoders available out there, php protect.
Comments
Post a Comment